rpm package
suse/python-Django&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7
pkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-8404 | Low | 3.1 | < 4.2.11-150600.3.59.1 | 4.2.11-150600.3.59.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached | |
| CVE-2026-7666 | Low | 3.1 | < 4.2.11-150600.3.59.1 | 4.2.11-150600.3.59.1 | Jun 3, 2026 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo | |
| CVE-2026-6873 | Low | 3.1 | < 4.2.11-150600.3.59.1 | 4.2.11-150600.3.59.1 | Jun 3, 2026 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff | |
| CVE-2026-48587 | Low | 3.1 | < 4.2.11-150600.3.59.1 | 4.2.11-150600.3.59.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi | |
| CVE-2026-35193 | Low | 3.1 | < 4.2.11-150600.3.59.1 | 4.2.11-150600.3.59.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att | |
| CVE-2026-25674 | — | < 4.2.11-150600.3.50.1 | 4.2.11-150600.3.50.1 | Mar 3, 2026 | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w | ||
| CVE-2025-14550 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an | ||
| CVE-2026-1312 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered | ||
| CVE-2026-1287 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m | ||
| CVE-2026-1285 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause | ||
| CVE-2026-1207 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and | ||
| CVE-2025-13473 | — | < 4.2.11-150600.3.47.1 | 4.2.11-150600.3.47.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang | ||
| CVE-2025-64460 | — | < 4.2.11-150600.3.44.1 | 4.2.11-150600.3.44.1 | Dec 2, 2025 | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via | ||
| CVE-2025-13372 | — | < 4.2.11-150600.3.44.1 | 4.2.11-150600.3.44.1 | Dec 2, 2025 | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet. | ||
| CVE-2025-64459 | — | < 4.2.11-150600.3.41.1 | 4.2.11-150600.3.41.1 | Nov 5, 2025 | An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio | ||
| CVE-2025-59682 | — | < 4.2.11-150600.3.33.1 | 4.2.11-150600.3.33.1 | Oct 1, 2025 | An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths s | ||
| CVE-2025-59681 | — | < 4.2.11-150600.3.33.1 | 4.2.11-150600.3.33.1 | Oct 1, 2025 | An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionar | ||
| CVE-2025-57833 | — | < 4.2.11-150600.3.30.1 | 4.2.11-150600.3.30.1 | Sep 3, 2025 | An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.ali | ||
| CVE-2025-48432 | — | < 4.2.11-150600.3.24.1 | 4.2.11-150600.3.24.1 | Jun 5, 2025 | An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forger | ||
| CVE-2025-32873 | — | < 4.2.11-150600.3.21.1 | 4.2.11-150600.3.21.1 | May 8, 2025 | An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. Th |
- affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached
- affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo
- affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff
- affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi
- affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att
- CVE-2026-25674Mar 3, 2026affected < 4.2.11-150600.3.50.1fixed 4.2.11-150600.3.50.1
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w
- CVE-2025-14550Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an
- CVE-2026-1312Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered
- CVE-2026-1287Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m
- CVE-2026-1285Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause
- CVE-2026-1207Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and
- CVE-2025-13473Feb 3, 2026affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang
- CVE-2025-64460Dec 2, 2025affected < 4.2.11-150600.3.44.1fixed 4.2.11-150600.3.44.1
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via
- CVE-2025-13372Dec 2, 2025affected < 4.2.11-150600.3.44.1fixed 4.2.11-150600.3.44.1
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.
- CVE-2025-64459Nov 5, 2025affected < 4.2.11-150600.3.41.1fixed 4.2.11-150600.3.41.1
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio
- CVE-2025-59682Oct 1, 2025affected < 4.2.11-150600.3.33.1fixed 4.2.11-150600.3.33.1
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths s
- CVE-2025-59681Oct 1, 2025affected < 4.2.11-150600.3.33.1fixed 4.2.11-150600.3.33.1
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionar
- CVE-2025-57833Sep 3, 2025affected < 4.2.11-150600.3.30.1fixed 4.2.11-150600.3.30.1
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.ali
- CVE-2025-48432Jun 5, 2025affected < 4.2.11-150600.3.24.1fixed 4.2.11-150600.3.24.1
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forger
- CVE-2025-32873May 8, 2025affected < 4.2.11-150600.3.21.1fixed 4.2.11-150600.3.21.1
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. Th